[dice] Remove all the sepolicy relating the hal service dice
As the service is not used anywhere for now and in the near future.
Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 477f78f..22f2ffa 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,16 +746,6 @@
use_dev_id
}
-class diced
-{
- demote
- demote_self
- derive
- get_attestation_chain
- use_seal
- use_sign
-}
-
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 0d3cc80..200b030 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,8 +163,5 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
-# Diced permissions
-class diced # userspace
-
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 61bf8fb..cfefc67 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -139,9 +139,6 @@
attribute halclientdomain;
expandattribute halclientdomain true;
-# HALs
-hal_attribute(dice);
-
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 56da496..5737284 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,4 +1,9 @@
;; types removed from current policy
+(type dice_maintenance_service)
+(type dice_node_service)
+(type diced)
+(type diced_exec)
+(type hal_dice_service)
(type iorap_inode2filename)
(type iorap_inode2filename_exec)
(type iorap_inode2filename_tmpfs)
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 5d5965e..60962cb 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,7 +8,6 @@
-apexd
-bpfloader
-crash_dump
- -diced
-init
-kernel
-keystore
@@ -43,7 +42,6 @@
apexd
userdebug_or_eng(`-apexd')
bpfloader
- diced
init
kernel
keystore
diff --git a/private/diced.te b/private/diced.te
deleted file mode 100644
index b37809c..0000000
--- a/private/diced.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute diced coredomain;
-
-init_daemon_domain(diced)
-
-# Talk to dice HAL.
-hal_client_domain(diced, hal_dice)
diff --git a/private/domain.te b/private/domain.te
index 9a0efb1..1e5e0f5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -18,7 +18,6 @@
-bpfloader
-crash_dump
-crosvm # TODO(b/236672526): Remove exception for crosvm
- -diced
-init
-kernel
-keystore
diff --git a/private/file_contexts b/private/file_contexts
index 2b98801..57fcdfb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -290,7 +290,6 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
-/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 718ce81..91418b5 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -52,7 +52,6 @@
apexd
app_zygote
bpfloader
- diced
hal_configstore_server
init
kernel
diff --git a/private/llkd.te b/private/llkd.te
index 8512e85..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,7 +23,6 @@
allow llkd {
domain
-apexd
- -diced
-kernel
-keystore
-init
diff --git a/private/service_contexts b/private/service_contexts
index db48f62..6543e3f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -84,7 +84,6 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@@ -136,8 +135,6 @@
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 31fa620..640b054 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -66,7 +66,6 @@
apexd
app_zygote
bpfloader
- diced
hal_configstore_server
init
kernel
diff --git a/public/attributes b/public/attributes
index 4897be5..0b5f596 100644
--- a/public/attributes
+++ b/public/attributes
@@ -336,7 +336,6 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
-hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
diff --git a/public/diced.te b/public/diced.te
deleted file mode 100644
index 0908936..0000000
--- a/public/diced.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type diced, domain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-binder_use(diced)
-binder_service(diced)
-
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# Check SELinux permissions.
-selinux_check_access(diced)
diff --git a/public/hal_dice.te b/public/hal_dice.te
deleted file mode 100644
index 92222c5..0000000
--- a/public/hal_dice.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)
diff --git a/public/service.te b/public/service.te
index 68fd9e2..1f86ff2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,8 +10,6 @@
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
-type dice_maintenance_service, service_manager_type;
-type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -285,7 +283,6 @@
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7d9119e..ac23351 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -95,7 +95,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
deleted file mode 100644
index 832e717..0000000
--- a/vendor/hal_dice_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_dice_default, domain;
-hal_server_domain(hal_dice_default, hal_dice)
-
-type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dice_default)